Pivotal Isolation Segment v2.8 Release Notes

Page last updated:

This topic contains release notes for Pivotal Isolation Segment v2.8.

Pivotal Platform is certified by the Cloud Foundry Foundation for 2020.

Read more about the certified provider program and the requirements of providers.


Releases

2.8.5

Release Date: 03/13/2020

  • [Bug Fix] Fix DNS Interaction between Loggregator Agent and Doppler
  • Bump ubuntu-xenial stemcell to version 621.59
  • Bump cflinuxfs3 to version 0.169.0
  • Bump loggregator-agent to version 5.2.7
Component Version
ubuntu-xenial stemcell621.59
bpm1.1.5
cf-networking2.27.0
cflinuxfs30.169.0
diego2.44.0
garden-runc1.19.9
haproxy9.8.0
loggregator-agent5.2.7
mapfs1.2.0
metrics-discovery2.0.2
nfs-volume5.0.2
routing0.198.0
silk2.27.0
smb-volume2.1.1
syslog11.6.1

2.8.4

Release Date: 03/02/2020

  • [Feature] Support Maestro’s rotation capability by adding Services TLS CA to all App containers
  • [Feature Improvement] Bring bug fixes and improvements in latest routing releases to all supported PAS versions
  • [Bug Fix] Log only necessary information when auction scoring fails
  • [Bug Fix] Fix Race Condition in Loggregator Agent
  • Bump ubuntu-xenial stemcell to version 621.57
  • Bump cflinuxfs3 to version 0.165.0
  • Bump diego to version 2.44.0
  • Bump loggregator-agent to version 5.2.6
  • Bump routing to version 0.198.0
Component Version
ubuntu-xenial stemcell621.57
bpm1.1.5
cf-networking2.27.0
cflinuxfs30.165.0
diego2.44.0
garden-runc1.19.9
haproxy9.8.0
loggregator-agent5.2.6
mapfs1.2.0
metrics-discovery2.0.2
nfs-volume5.0.2
routing0.198.0
silk2.27.0
smb-volume2.1.1
syslog11.6.1

2.8.3

Release Date: 02/06/2020

  • [Feature Improvement] Use the Diego logging format for the Garden job
  • Bump ubuntu-xenial stemcell to version 621.51
  • Bump cflinuxfs3 to version 0.160.0
Component Version
ubuntu-xenial stemcell621.51
bpm1.1.5
cf-networking2.27.0
cflinuxfs30.160.0
diego2.39.0
garden-runc1.19.9
haproxy9.8.0
loggregator-agent5.2.1
mapfs1.2.0
metrics-discovery2.0.2
nfs-volume5.0.2
routing0.196.0
silk2.27.0
smb-volume2.1.1
syslog11.6.1

2.8.2

Release Date: 01/16/2020

  • [Bug Fix] mapfs - Fix error when appending to a file
  • Bump ubuntu-xenial stemcell to version 621.41
  • Bump cflinuxfs3 to version 0.153.0
Component Version
ubuntu-xenial stemcell621.41
bpm1.1.5
cf-networking2.27.0
cflinuxfs30.153.0
diego2.39.0
garden-runc1.19.9
haproxy9.8.0
loggregator-agent5.2.1
mapfs1.2.0
metrics-discovery2.0.2
nfs-volume5.0.2
routing0.196.0
silk2.27.0
smb-volume2.1.1
syslog11.6.1

2.8.1

Release Date: 12/26/2019

  • [Security Fix] CVE-2019-17596 - Fix panic upon an attempt to process network traffic containing an invalid DSA public key for syslog release
  • [Security Fix] CVE-2019-17596 - Fix panic upon an attempt to process network traffic containing an invalid DSA public key for garden-runc release
  • [Security Fix] CVE-2019-17596 - Fix panic upon an attempt to process network traffic containing an invalid DSA public key for loggregator releases
  • [Feature] Expose all platform metrics on Prometheus endpoints
  • [Bug Fix] Passwords containing commas no longer cause the SMB volume service to crash at startup with a “mount failed” error
  • Bump ubuntu-xenial stemcell to version 621.29
  • Bump cflinuxfs3 to version 0.151.0
  • Bump garden-runc to version 1.19.9
  • Bump loggregator-agent to version 5.2.1
  • Add new release metrics-discovery at version 2.0.2
  • Bump smb-volume to version 2.1.1
  • Bump syslog to version 11.6.1
Component Version
ubuntu-xenial stemcell621.29
bpm1.1.5
cf-networking2.27.0
cflinuxfs30.151.0
diego2.39.0
garden-runc1.19.9
haproxy9.8.0
loggregator-agent5.2.1
mapfs1.2.1
metrics-discovery2.0.2
nfs-volume5.0.2
routing0.196.0
silk2.27.0
smb-volume2.1.1
syslog11.6.1

2.8.0

Release Date: 12/09/2019

  • See New Features in Pivotal Isolation Segment v2.8
  • See Breaking Changes
  • [Feature Improvement] Upgrade Routing, Networking, and Silk releases to use go 1.13 release
  • [Feature Improvement] Add syslog log-cache aggregate drain
  • Bump cf-networking to version 2.27.0
  • Bump cflinuxfs3 to version 0.150.0
  • Bump routing to version 0.196.0
  • Bump silk to version 2.27.0
Component Version
ubuntu-xenial stemcell621.26
bpm1.1.5
cf-networking2.27.0
cflinuxfs30.150.0
diego2.39.0
garden-runc1.19.8
haproxy9.8.0
loggregator-agent5.1.0
mapfs1.2.1
nfs-volume5.0.2
routing0.196.0
silk2.27.0
smb-volume2.1.0
syslog11.5.0

About Pivotal Isolation Segment

The Pivotal Isolation Segment v2.8 tile is available for installation with Pivotal Platform v2.8.

Isolation segments provide dedicated pools of resources where you can deploy apps and isolate workloads. Using isolation segments separates app resources as completely as if they were in different Pivotal Platform deployments but avoids redundant management and network complexity. For more information about isolation segments, see Isolation Segments in PAS Security.

For more information about using isolation segments in your deployment, see Managing Isolation Segments.

How to Install

To install Pivotal Isolation Segment v2.8, see Installing Pivotal Isolation Segment.

To install Pivotal Isolation Segment v2.8, you must first install Pivotal Platform v2.8.

New Features in Pivotal Isolation Segment v2.8

Pivotal Isolation Segment v2.8 includes the following major features:

Diego Sets Container CPU Weight Property Equal to Container Memory Limit

Diego sets the CPU weight property on the containers it creates to a number equivalent to the container memory limit. This allows Garden to calculate the AbsoluteCPUEntitlement metric, which is the CPU entitlement for the container. With AbsoluteCPUEntitlement, Garden can produce accurate CPU usage metrics that are relative to AbsoluteCPUEntitlement.

For more information about the AbsoluteCPUEntitlement metric, see Diego Container Metrics in Container Metrics. For information about the Cloud Foundry CPU Entitlement Plugin, an experimental plugin that allows you to examine the CPU usage of PAS apps relative to their CPU entitlement, see the Cloud Foundry CPU Entitlement Plugin repository on GitHub.

SMB Volume Services Enabled by Default

SMB volume services are enabled by default. When SMB volume services are enabled, app developers can bind existing SMB shares to apps for shared file access.

To disable SMB volume services in the Pivotal Isolation Segment tile, select Advanced Features and clear the Enable SMB volume services checkbox.

For more information, see Advanced Features in Installing Pivotal Isolation Segment.

For general information about volume services, see Using an External File System (Volume Services).

NFS Broker Uses CredHub as Backing Store

NFS Broker uses CredHub as its backing store, rather than an internal Pivotal Application Service (PAS) database. Because BOSH Backup and Restore (BBR) no longer backs up NFS Broker, the nfsbroker-bbr job is removed.

For more information about CredHub, see CredHub.

Use Pivotal Isolation Segment to Improve Upgrades for Large Foundations

You can use the Pivotal Isolation Segment tile to deploy a separate group of Diego Cells without isolating the Diego Cell capacity from other apps.

This approach helps separate the upgrade of the PAS control plane from the upgrade of the Diego Cells. Further, it splits the upgrade of the Diego Cells into smaller groups. This helps operators of large foundations by making upgrades more manageable. It does not affect developers pushing apps to PAS.

To use this feature, go to the Compute and Networking Isolation pane in the Pivotal Isolation Segment tile and select None for Tag name for Diego Cell blocks.

For more information, see Compute and Networking Isolation in Installing Pivotal Isolation Segment.

Support for Pushing Container Images Hosted in AWS ECR

When you push container images hosted in AWS Elastic Container Registry (ECR) with the Cloud Foundry CLI (cf CLI), you can provide the access key ID and secret for an AWS IAM user as a Docker username and password as part of the cf push command. Apps are able to then continuously restart and restage successfully.

This update allows the cf CLI to successfully pull container images hosted in ECR with valid AWS Identity and Access Management (IAM) user credentials.

For more information, see Amazon Elastic Container Registry (ECR) in Deploying an App with Docker.

Mutual TLS Added to Loggregator Endpoints and Components

Mutual TLS is added to the Loggregator, Loggregator Agent, and Log Cache endpoints. It is also added to the Leadership Election job. This provides additional security between these endpoints and metric scrapers.

For more information about Loggregator components, see Loggregator Architecture. For more information about the Leadership Election job and metric scraping, see the System Metrics repository on GitHub.

V2 Firehose Can Be Disabled

You can disable the Loggregator V2 Firehose by deselecting the Enable V2 Firehose checkbox in the System Logging pane of the PAS tile. This shuts down VMs used for the V2 Firehose, such as Dopplers and Reverse Log Proxies. After you disable the V2 Firehose, you can delete these VMs from your deployment to save resources.

Warning: If you disable the V2 Firehose, you must select the Enable Log Cache syslog ingestion checkbox, or logs and metrics do not appear in Log Cache. Pivotal recommends that you do not disable the Firehose if you are dependent on any of the following:
  • Service tile metrics
  • Pivotal Healthwatch or Pivotal App Metrics
  • Partner log or metric integrations

Warning: If you disable the V1 or V2 Firehose, you must disable the Smoke Test Errand or the deploy fails. For more information, see Disable the Smoke Test Errand If You Disable the Firehose in the Pivotal Application Service v2.8 release notes.

For more information, see Configure System Logging in Configuring PAS.

Aggregate Drain for Metrics and App Logs

When an aggregate log and metric drain is configured in PAS, Pivotal Isolation Segment sends logs and metrics to the Loggregator Log Cache syslog server through the aggregate log and metric drain instead of the Loggregator Firehose. This allows you to disable the Firehose and delete related VMs, such as Dopplers and Reverse Log Proxies. For more information about disabling the Firehose, see V2 Firehose Can Be Disabled.

To enable an aggregate log and metric drain for your foundation, add a comma-separated list of syslog endpoints to the Aggregate log and metric drain destinations field in the System Logging pane of the PAS tile. For more information, see Configure System Logging in Configuring PAS.

About Advanced Features

The Advanced Features section of the Pivotal Isolation Segment v2.8 tile includes new functionality that may have certain constraints.

Although these features are fully supported, Pivotal recommends caution when using them in production.

Known Issues

There are currently no known issues in Pivotal Isolation Segment v2.8.